You are on page 1of 17

Relevant to Paper FAU and ACCA Qualification Paper F8 (INT) and (UK)

This article focuses on the audit of wages but many of the points made
also apply to salaries (the term payroll covers both). The distinction
between the two is that wages are normally paid weekly in cash to
employees working in departments such as production. Salaries, on the
other hand, are paid monthly to employees normally working in
administrative departments, via electronic transfers to their bank
accounts. Changes in technology and less reliance on cash have blurred
this traditional distinction and many hourly paid employees are now paid
via bank transfer. However, in some small companies or in parts of the
world where few people have bank accounts, employees are still paid in
cash based on hours in attendance or work completed.
COMMON PAYROLL FRAUDS

Even companies that appear to have good internal controls can suffer
from instances of fraud. The most common payroll frauds include:
1.

2.
3.

4.

The inclusion of fictitious (ghost) employees on the payroll this can happen in circumstances where blank
clock-cards are kept by factory supervisors who also distribute wage packets to employees. There is also a risk
of this type of fraud if staff who update the master file for changes are also involved in the preparation or
distribution of wage packets.
Deliberate timing errors a variation on the above fraud is to include new employees on the payroll before
they actually commence work or to leave them on the payroll after they have left.
Requesting a cheque for net wages in excess of the required amount. This type of fraud is generally easier to
perpetrate in manual wages systems. Alternatively, if employees are paid by bank transfer a lack of controls
could provide staff with the opportunity to make changes to the list before it is sent to the bank.
Payment of unauthorised/invalid overtime this can happen in circumstances where the authorisation of
overtime is not properly controlled or details of overtime input during the preparation of the payroll are not
independently reconciled to authorised totals for the week.

The common feature that often facilitates these frauds is inadequate


segregation of duties. Frauds can be difficult to prevent where there is
collusion among staff. Historically organisations have lost significant
sums when large numbers of staff came to expect the routine inclusion of
unauthorised overtime in their pay.
AUDIT WORK ON WAGES

Most of the audit work on the wages system should be performed during
the interim audit but some substantive procedures to confirm payroll
costs and wage accruals should normally form part of the final audit.
Interim audit work on wages should involve the normal stages of
recording, evaluating and testing internal controls.
WAGES CONTROL OBJECTIVES

Typical control objectives for wages include the following:


1.
2.
3.
4.
5.
6.
7.

To ensure that employees are only paid for work done.


To ensure that wages are only paid to valid employees.
To ensure that all wages are authorised
To ensure that wages are paid at the correct rates of pay
To ensure that wages are correctly calculated.
To ensure all wages transactions are correctly recorded in the books of account.
To ensure that all payroll deductions are paid over to appropriate third parties (for example, tax authorities)

EVALUATION OF THE INTERNAL CONTROL SYSTEM

The evaluation should be performed by considering if controls exist to


ensure specified control objectives are met.
Auditors often complete questionnaires to assist in system evaluation.
Internal Control Questionnaires (ICQs) ask specific questions about
controls relevant to each control objective. The alternative is an Internal
Control Evaluation Questionnaire (ICEQs), sometimes referred to as key
or control questions which focus on risks rather than objectives. They
cover the same areas as control objectives and typical examples include:

Can employees be paid for work not done?

Can wages be paid to fictitious employees?

Can unauthorised wages be paid?

Can errors occur in wage calculations?

Can wage costs be incorrectly recorded?

If the evaluation indicates that controls exist a test of controls (compliance test) will

be performed but if controls are weak or absent then a substantive procedure will
be appropriate, to determine if material misstatement has occurred.
STAGES IN A WAGES SYSTEM

Five stages are shown below and typical controls identified are linked to
relevant control objectives.
(i) Setting up master file data

Robust recruitment procedures are required before new employees are


entered on the wages master file. Interviews should be undertaken
involving senior staff to ensure the new employee has the required skills.
New starters forms should be completed in the human resources (HR)
department and copies retained along with contracts of employment.
Changes to standing data on the master file should be performed by staff
who are independent of processing payroll. The wages master file
contains all the standing data about employees, such as name, address,
date of birth, date of starting employment, employee number, rate of pay
and tax code.
Relevant controls

Changes to master file data such as rates of pay and new starters/leavers should be supported by forms
approved by a senior responsible official. (Control objectives 2 and 4)

Access to the master file should require a responsible officials password and a log of standing data
amendments should be produced and reviewed. (Control objectives 2, 3 and 4)

An independent check should be performed of standing data amendments log to supporting documentation.
(Control objectives 2, 3 and 4)

(ii) Recording wages due

Clock cards are often used to record the hours that employees enter and
leave the premises. Modern equivalents would include employee ID
cards which are swiped by an electronic card reader. In this scenario
employees are paid based on hours worked. If employees are paid in
accordance with work completed job cards may take the place of clock
cards.
Relevant controls

Supervision of clocking on points and control over blank clock cards (or employee ID cards) are essential.
(Control objective 1 )

Clock cards should be authorised by a responsible official before they are sent to the payroll departments.
(Control objectives 1 and 3)

HR department should keep blank clock cards or ID cards, which are only issued for new employees with
contracts of employment. (Control objective 2)

(iii) Calculation of wages

Hours worked should be converted to a gross wage by reference to the


employees hourly rate of pay and deductions such as payroll taxes are
made to calculate net pay. Software is normally used to produce the
weekly payroll and calculation errors are less likely than with manual
systems. Gross wages should be based on a standard working week (for
example, 40 hours ) and if overtime has been worked this should be
picked up from the clock card. However, in some systems, authorised
lists of overtime worked during the week are entered so that the revised
gross wage can be calculated.
Relevant controls

Overtime forms/ listings should be reviewed and authorised by responsible managers before input to the
system. (Control objectives 1 and 3)

Software controls should include data validation (edit) checks on the data fields included on transactions,
and include reasonableness, existence, range and character checks. Error reports should be produced which
list rejected items for example, employee numbers entered that do not exist. Also exception reports should list
transactions that have been processed but which exceed certain pre-determined limits for example, employees
earning more than $2,000 per week or those who worked more than 30 hours of overtime. It is very important
that both reports are investigated closely and if necessary data corrected and re-input. (Control objectives 2 and
4).

A sample of payroll calculations should be checked by senior responsible official and the payroll initialled.
(Control objective 5)

(iv) Payment of wages

As indicated earlier employees should either be paid in cash or by bank


transfer. In the case of cash a cheque should be signed, preferably by
two senior responsible officials (normally directors in small companies).
Once collected from the bank the cash should be included in pay packets
with payroll slips for subsequent distribution to employees.
Relevant controls

The payroll should be reviewed by a senior responsible official before the payroll cheque is signed. If
employees are paid by bank transfer, the list should be authorised before being sent to the bank. (Control
objectives 2 and 3)

Two individuals independent of the processing of wages should be involved in the make up of pay packets
and during the wages payout. (Control objective 2)

Employees signatures should be required when wages are collected, as evidence of receipt. If employees
are absent their wages packets should be entered in an uncollected wages book and returned to a safe under
the control of an independent responsible official (eg the cashier). There should be a requirement for formal
identification procedures to be carried out on the subsequent collection of wage packets. (Control objective 2)

(v) Accounting for wage costs and deductions

Payroll software should automatically transfer total wage costs and


deductions such as tax and pension contributions to the appropriate
accounts in the nominal (general) ledger. Outstanding wages owed to
employees or deductions not yet paid over to the relevant third parties
should be accrued and disclosed as other payables.
Relevant controls

Monthly comparison of actual and budgeted payroll costs and investigation of significant variances. (Control
objective 6)
Independent reconciliation of total pay and deductions between one payroll and the next. (Control objective 6

Annual completion of tax returns and reconciliation to total tax deducted. (Control objective 7)

The above comparisons and reconciliations should be performed by


senior responsible officials who are independent of the payroll
department for example, management or financial accounting staff.
TYPICAL TESTS OF CONTROL AND SUBSTANTIVE TESTS
Interim audit

The type of test performed will depend on the particular features of the
wages system and the auditors evaluation of controls. Typical tests for
each control objective are listed below. However, this list is not
exhaustive and some of the substantive procedures may be carried out
during the final audit.
1.

To ensure that employees are only paid for work done.


Test of control observe clocking on procedures and the level of supervision.
Substantive procedure select a sample of employees from the payroll and agree hours paid to individual clock
cards.

2.

3.

4.

5.

To ensure that wages are only paid to valid employees.


Test of control - attend the wages pay out.
Substantive procedure select a sample of employees from the payroll and vouch to individual contracts of
employment in HR department.
To ensure that all wages are authorised.
Test of control review overtime forms/lists for authorised signatures.
Substantive procedure compare overtime costs each month with the prior year and investigate significant
variances.
To ensure wages are paid at the correct rates of pay.
Test of control review log of amendments to master file for evidence of independent review.
Substantive procedure obtain printout of employee wage rates and compare to HR records.
To ensure that errors do not occur in payroll calculations.
Test of control review payrolls for signatures as evidence of independentcalculation checks.
Substantive procedure select a sample of employees and check calculations of gross and net pay.

FINAL AUDIT

Tests to ensure the accuracy and completeness of balances in respect of


wage costs and payroll deductions (Control objectives 5, 6 and 7) are
normally substantive in nature and conducted as part the final audit.
A substantive audit programme should include:

Agree total wages and deductions per selected payrolls to the amounts recorded in the individual general
(nominal) ledger accounts

Perform analytical procedures such as proof in total by using number of employees and average wage.
Investigate any significant fluctuations.

Carry out month-by-month comparisons of total wages with prior year/budgets and investigate differences.
Agree sundry payables for tax outstanding at the year end to the payroll records and check subsequent
payment to cash book.

Computer assisted audit techniques

Use the computer as an audit tool and the most common examples are
test data and audit software. These could be employed during the interim
and final audit of wages.
Test data consists of data submitted by the auditor to test the operation of
application controls such as data-validation (edit) checks. Test data
should be input using valid and invalid transactions to check the
operation of these controls. Examples include:

Input employee numbers that do not exist or are in an incorrect format to ensure these items are rejected
and included on an error report.

Input a gross weekly pay exceeding $2,000 to ensure these employees are included on an exception
report.

Input overtime hours exceeding 30 hours per week to ensure these employees are also included on an
exception report.

is normally used by the auditor for substantive testing and can


interrogate a clients computer files, re-perform calculations or extract
items for further investigation. Examples include:
Audit software

Re-perform calculations of gross wage, deductions and casts on selected payrolls.


Compare the payroll file at the beginning and end of the period to identify starters and leavers, which could
then be checked to appropriate documentation.
Comparing employee records on payroll file and HR files

SUMMARY

Knowledge of the stages in a typical wages system and the link between
control objectives, controls and audit tests should help students
distinguish between these terms. It is also important that, for a given
wages system, candidates can identify significant deficiencies in internal
control, explain the implications of the deficiencies and recommend
appropriate controls.
Written by a member of the Paper FAU examining team

THE CONTROL ENVIRONMENT OF A COMPANY


RELATED LINKS

Student Accountant hub page


The purpose of this article is to provide candidates with a more detailed appreciation of matters pertinent to
an auditor, focusing on the need for the auditor of a large limited liability company (in the UK a limited
company) to evaluate the effectiveness of the companys control environment
ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its
Environment, sets out the auditors responsibility to identify and assess the risks of material misstatement in the
financial statements, through understanding the entity and its environment including the entitys internal control. One
of the five components of internal control is the control environment and it is recognised that the control environment
within small entities is likely to differ from larger entities. Many candidates have not yet had the opportunity of working
in larger entities, or have chosen not to, so have not been exposed to working within the type of strong control
environment often referred to in auditing texts. Consequently, they often have limited experience on which to draw
when answering exam questions that require anything other than superficial knowledge of an entitys control
environment.
This article aims to provide common examples of matters the auditor needs to consider when assessing an entitys
control environment, and in making an assessment as to their impact on the risk of material misstatement in the
financial statements. Reflecting the general trend of exam questions testing knowledge of this area, the article
focuses on the need for the auditor of a large limited liability company (in the UK a limited company) to evaluate the
effectiveness of the companys control environment.
A companys control environment comprises seven elements each requiring careful consideration by the companys
auditor, recognising that some elements may be more pertinent than others depending on the subject company.
Each one of these elements is identified below, along with an explanation of specific practical aspects that may be
considered by the auditor when evaluating its effectiveness. Candidates should be aware that this process forms part
of the auditors assessment of the overall effectiveness of the companys internal control, relevant to the audit.
1 Communication and enforcement of integrity and ethical values
Many companies have high values and seek to promote honesty and integrity among their employees on a day-to-day
basis. Clearly, if it is evident that such values do exist and are communicated effectively to employees and enforced,
this will have the effect of increasing confidence in the design, administration and monitoring of controls leading to a
reduced risk of material misstatement in a companys financial statements. For example, where a company adopts
comprehensive anti-bribery and corruption policies and procedures with regard to contract tendering, and has formal
employee notification and checking practices in this regard, it follows that there is reduced risk of material
misstatement due to the omission of provisions for fines for the non-compliance with relevant laws and regulations.
Alternatively, the existence in a company of comprehensive and ethical procedures with regard to the granting of
credit facilities to customers and the pursuance of payment of for goods and services supplied, together with regular
supervisory control in this respect, is likely to lead to increased audit confidence in the trade receivables area. This is
because the existence of a system allowing goods and services to be a supplied on credit to customers provides the

opportunity for fraud to be perpetrated against the company by employees and customers, particularly if controls are
deficient in terms of their design or implementation.
2 Commitment to competence
Competence is the knowledge and skills necessary to accomplish tasks that define the individuals job. It is selfevident that if individual employees are tasked with carrying out duties that are beyond their competence levels, then
desired objectives are unlikely to be met. For example, there is an increased probability that the objective of avoiding
material misstatement in a set of complex financial statements will not be met if prepared by an inexperienced
company accountant. This is simply due to the inexperience (translating to a lower competence level) of the
accountant. From this, it follows that the auditor will have increased confidence in internal control relevant to the audit,
where management have taken measures to ensure employees who participate in internal control are competent to
carry out relevant tasks effectively. Measures taken by management in this regard can cover a range of activity
including for example, rigorous technical and aptitude testing at the employee recruitment stage and in-house or
external training courses and mentoring from more senior colleagues
3 Participation by those charged with governance
The directors of a limited liability/limited company are charged with the companys governance. As such, they are
responsible for overseeing the strategic direction of the company and its obligations related to its accountability for
example, to governments, shareholders and to society in general. In particular, in most jurisdictions the companys
directors are responsible for the preparation of its financial statements. Given the influence that the actions of
directors have on a companys internal control, the extent of their day-to-day active involvement in the companys
operations has a pervasive effect on the internal control of the company.
The extent to which directors do get involved will, to some extent, depend on legislation or codes of practice setting
out guidance for best practice in given jurisdictions. For example, the UK Corporate Governance Code (with which
companies listed on the London Stock Exchange should comply) sets out standards of good practice, including those
pertaining to board leadership and effectiveness. Notwithstanding legislation and codes of practice, the extent of each
directors participation is largely influenced by the nature of their professional discipline and their individual
perspective about how they should carry out their respective roles. Some may see themselves as micromanagers,
while others will trust subordinates to carry out defined duties with minimal interference. Frequently, directors will be
very experienced and adopt an arms-length approach to getting involved in operational tasks. However, they may
insist on monitoring activity by way of receipt of formal narrative reports. Other directors may adopt a more casual (but
equally thorough!) working alongside subordinates approach as a method of monitoring activities.
All of the variables mentioned above with regard to director involvement, should be important considerations of an
auditor as part of the process of ascertaining the extent of internal control in the company and in assessing its
effectiveness.
4 Managements philosophy and operating style
A companys board of directors will comprise of individuals each with a different mind set as to philosophy and
operating style, manifested in characteristics such as their:

approach to taking and managing business risk

attitudes and actions toward financial reporting

attitudes toward information processing and accounting and functions personnel.

Each of the above characteristics underlie a companys control environment and it is crucial for an auditor to have an
understanding of them. Dealing with each in turn:
Approach to taking and managing business risk. Business risk is the risk inherent in a company as a consequence of
its day-to-day operations and it comprises several components. The first of these is financial risk for example, the
risk that the company may have insufficient cash flow to continue in operation. The second component is operational
risk for example, the risk that the companys product lines may decline in popularity leading to a sharp decline in
sales and profitability. The final component of business risk is compliance risk for example, the risk that the
company may be in breach of health and safety regulations, leading to the possibility of hefty fines or even the
closedown of operational activity.
Candidates should be aware that a risk-based approach to an audit requires the identification and assessment of
inherent risk factors and then of the control risk pertaining to these, in order to determine the risk of material
misstatement, prior to carrying out substantive procedures. By adopting a top-down approach to the audit and first
identifying business risks, auditors should be able to identify the associated inherent risks arising. They can then
progress through the audit using the audit risk model (audit risk = the risk of material misstatement x detection risk) to
determine the amount of detailed testing required in each area of the financial statements. To illustrate this approach,
referring to the compliance risk example above, an inherent risk arising from the risk of a breach of health and safety
regulations. As a consequence, there is a risk that the companys liabilities may be understated due to the omission of
a provision required in the financial statements, in respect of a fine for a non-compliance.
The directors approach to taking and managing business risk has obvious ramifications on a companys financial
statements, and the auditor should be aware of the various factors that influence directors in this area, and of
applicable controls in place. It is often the case that a newly established company with young entrepreneurial
directors and a flat management structure will have a more liberal approach to taking and managing business risk
than a well-established company with more experienced directors, and a steep hierarchical management structure.
Consequently, it is likely that there would be a lower level of a risk of material misstatement in the financial statements
of the latter company.
Attitude and actions toward financial reporting. Financial Reporting Standards exist to help facilitate fairness,
consistency and transparency of financial reporting. However, some determinants of profitability such as the measure
of depreciation, the valuation of inventory or the amount of a provision remain open to the subjective judgment of
management. Consequently, the auditor needs to gain an understanding of directors attitudes and actions to financial
reporting issues and then make a judgment as to the extent of reliance that can be placed upon these. It may be that
a company that is struggling in a faltering economy, and in another driven by a culture to report increasing profits,
there is a tendency to adopt aggressive (as opposed to conservative) accounting principles, in order to meet profit
expectations. Clearly, on such audit engagements it is important for the auditor to remain resolute in exercising
appropriate levels of professional sceptism throughout.
Attitude towards information processing and accounting functions and personnel.Properly financed and resourced
with sufficient numbers of appropriately qualified staff and contemporary information and communications technology,

the financial reporting (accounting) and information processing functions of a company are vital to a companys
ongoing existence. They are key to the facilitation of compliance with laws and regulations, transactions with third
parties, administration and control systems and in the provision of information for decision making. In most very large
companies many aspects of the accounting function are inextricably intertwined with specific aspects of the
companys information processing systems, and there is an ongoing programme of investment in these, to ensure that
the accounting and information processing systems are contemporary and fit for purpose. This is reflective of a
situation where directors recognise that business risk will be significantly reduced, if the company has effective
information processing and accounting functions. However, this situation does not apply to all companies. In some,
both functions may be seen by the directors merely as necessary functional overhead areas of the business and, as
such, they become under-funded and inadequately resourced in terms of staffing and equipment. An auditor engaged
on an audit in such a company should be aware that there is an increased risk of material misstatement in the
financial statements.
5 Organisational structure
ISA 315 describes a companys organisational structure as being the framework within which an entitys activities for
achieving its objectives are planned, executed, controlled and reviewed. The appendix to the ISA then explains that
the appropriateness of an entitys organisational structure depends, in part, on its size and the nature of its activities.
It follows from this that an international consulting company with offices and operations in several countries has
different priorities in terms of organisational structure to a national car sales company with several offices and a
number of sales branches in a single country. Similarly, the organisational structure deemed suitable for such a car
sales company would not be appropriate for a single site manufacturing company. Generally, an auditor may
reasonably expect there to be a positive correlation between the level of inherent risk and the size and complexity of a
companys operations. In assessing, the level of the risk of material misstatement the auditor should consider as to
whether the companys organisational structure in terms of authority, responsibility and lines of reporting meet desired
objectives.
6 Assignment of authority and responsibility
Normally, the larger a companys scale of operations, then the larger the size of the workforce and, inevitably, the
larger the amount of assignment of authority and responsibility that is required. Consequently, companies need to
deal not only with ensuring that appropriate levels of authority and responsibility are assigned to appropriately
qualified and experienced individuals. They also need to ensure that adequate reporting relationships and
authorisation hierarchies are in place. Additionally, individuals need to be properly resourced and made fully aware of
their responsibilities and of how their actions interrelate with the actions of others and contribute to the objectives of
the company. If a company is not successful in meeting each of these needs, then there is an increased probability of
ineffective decisions, errors and oversights by employees leading to an increased risk of material misstatement in its
financial statements. For example, where a wages clerk is authorised to process the wages payroll and is then
assigned the (inappropriate!) authority to enter new employee details into the wages master file.
7 Human resources policies and practices
As explained in ISA 315, human resource policies and practices demonstrate important matters in relation to the
control consciousness of an entity. This implies that if human resources policies and practices are considered to be
sound both in design and in implementation over a range of matters, then the risk of material misstatement will be
reduced.

Examples of these matters include:

Recruitment policies and procedures. These should ensure that only competent individuals with integrity are
employed by the company. Interview procedures should ensure that only candidates meeting the companys
criteria for recruitment are engaged.

There should be adequate induction procedures for new employees, such that they can carry out their
assigned responsibilities effectively and efficiently soon after being engaged by the company.

Employees should be provided with ongoing training, support and mentoring as appropriate, such that they
can continue to carry out their assigned responsibilities effectively and efficiently.

There should be regular formal appraisal, at least annually of an employees performance. Performance
should be measured against standardised criteria authorised by senior management of the company, and there
should be ongoing monitoring and feedback to employees about their performance and development needs.

The company should employ comprehensive and transparent employment grievance procedures, such that
employees can be confident that grievances will be dealt with openly and impartially.

There should be open, transparent and equitable employee disciplinary procedures, such that employees
can be confident they will not be treated unfairly by the company in the event that an action triggers its
disciplinary process.

Employment termination procedures should incorporate provision for an exit interview so that the reason for
the termination can be confirmed or clarified, all emoluments due to the employee can be settled and
arrangements can be made for the return of all company assets prior to the termination date.

While each of the above measures will have a positive impact on the internal control of a company, to some extent
they all have the effect of reducing the risk of material misstatement in the financial statements. For example, the
existence of fair and robust grievance and disciplinary procedures reduce the possibility of a successful claim against
the company for constructive or unfair dismissal, and the absence of a material provision in this respect. Significantly,
the existence of human resources policies and practices that are the same or similar to those above should leave a
favourable impression with the auditor, as to the directors attitude toward their companys workforce. It is likely that
such an attitude would foster good working relationships with employees, leading to an increased likelihood that
individuals would reciprocate by carrying out their tasks diligently with integrity in the best interests of the company
resulting in a reduced risk of material misstatement.
Summary
As indicated at the beginning of this article, the purpose of it is to provide candidates with a more detailed
appreciation of matters pertinent to an auditor, when evaluating the control environment of a limited liability/limited
company. When asked to explain what is meant by the term control environment, they typically comment that it is a
component of a companys internal control and that it centres around how a company is operated by its management,
reflecting such matters as their philosophy and operating style. While there is some merit in this answer, having now
read the above commentary, candidates should be aware that the term has much more meaning than that.
Written by a member of the audit examining team

ISA 315 (REVISED), IDENTIFYING AND


ASSESSING THE RISKS OF MATERIAL
MISSTATEMENT THROUGH UNDERSTANDING
THE ENTITY AND ITS ENVIRONMENT
RELATED LINKS

Student Accountant hub page


One of the major revisions of ISA 315 relates to the inquiries made by external auditors of the internal audit
function since internal auditors have better knowledge and understanding of the organisation and its internal
control. This article addresses and highlights the components of internal control
The International Auditing and Assurance Standards Board (IAASB) issues International Standard on Auditing (ISA)
for international use. From time to time, ISAs are revised to provide updated standards to auditors. In order to
enhance the overall quality of audit, IAASB published a consultation draft on a proposed revision to ISA 315. The
objective in revising ISA 315 is to enhance the performance of external auditors by applying the knowledge and
findings of an entitys internal audit function in the risk assessment process, and to strengthen the framework for
evaluating the use of internal auditors work to obtain audit evidence.
In March 2012, ISA 315 (Revised) was approved and released. One of the major revisions of ISA 315 relates to the
inquiries made by external auditors of the internal audit function since internal auditors have better knowledge and
understanding of the organisation and its internal control. This article addresses and highlights the components of
internal control.

OBJECTIVES IN ESTABLISHING INTERNAL CONTROLS


Generally speaking, internal control systems are designed, implemented and maintained by the management and
personnel in order to provide reasonable assurance to fulfil the objectives that is, reliability of financial reporting,
efficiency and effectiveness of operations, compliance with laws and regulations and risk assessment of material
misstatement. The manner in which the internal control system is designed, implemented and maintained may vary
with the entitys business nature, size and complexity, etc. Auditors focus on both the audit of financial statements and
internal controls that relates to the three objectives that may materially affect financial reporting.
In order to identify the types of potential misstatements and to determine the nature, timing and extent of audit testing,
auditors should obtain an understanding of relevant internal controls, evaluate the design of the controls, and
ascertain whether the controls are implemented and maintained properly.
The major components of internal control include control environment, entitys risk assessment process, information
system (including the related business processes, control activities relevant to the audit, relevant to financial reporting,
and communication) and monitoring of controls.

CONTROL ENVIRONMENT
The control environment consists of the governance and management functions and the attitudes, awareness and
actions of the management about the internal control. Auditors may obtain an understanding of the control
environments through the following elements.
1. Communication and enforcement of integrity and ethical values
It is important for the management to create and maintain honest, legal and ethical culture, and to communicate the
entitys ethical and behavioral standards to its employees through policy statements and codes of conduct, etc.
2. Commitment to competence
It is important that the management recruits competent staff who possess the required knowledge and skills at
competent level to accomplish tasks.
3. Participation by those charged with governance
An entitys control consciousness is influenced significantly by those charged with governance; therefore, their
independence from management, experience and stature, extent of their involvement, as well as the appropriateness
of their actions are extremely important.
4. Managements philosophy and operating style
Managements philosophy and operating style consists of a broad range of characteristics, such as managements
attitude to response to business risks, financial reporting, information processing, and accounting functions and
personnel, etc. For example, does the targeted earning realistic? Does the management apply aggressive approach
where alternative accounting principles or estimates are available? These managements philosophy and operating
style provide a picture to auditors about the managements attitude about the internal control.
5. Organisational structure
The organisational structure provides the framework on how the entitys activities are planned, implemented,
controlled and reviewed.
6. Assignment of authority and responsibility
With the established organisational structure or framework, key areas of authority and reporting lines should then be
defined. The assignment of authority and responsibility include the personnel that make appropriate policies and

assign resources to staff to carry out the duties. Auditors may perceive the implementation of internal controls through
the understanding of the organisational structure and the reporting relationships.
7. Human resources policies and practices
Human resources policies and practices generally refer to recruitment, orientation, training, evaluation, counselling,
promotion, compensation and remedial actions. For example, an entity should establish policies to recruit individuals
based on their educational background, previous work experience, and other relevant attributes. Next, classroom and
on-the-job training should be provided to the newly recruited staff. Appropriate training is also available to existing
staff to keep themselves updated. Performance evaluation should be conducted periodically to review the staff
performance and provide comments and feedback to staff on how to improve themselves and further develop their
potential and promote to the next level by accepting more responsibilities and, in turn, receiving competitive
compensation and benefits.
With the ISA 315 (Revised), external auditors are now required to make inquiries of the internal audit function to
identify and assess risks of material misstatement. Auditors may refer to the managements responses of the
identified deficiencies of the internal controls and determine whether the management has taken appropriate actions
to tackle the problems properly. Besides inquiries of the internal audit function, auditors may collect audit evidence of
the control environment through observation on how the employees perform their duties, inspection of the documents,
and analytical procedures. After obtaining the audit evidence of the control environment, auditors may then assess
the risks of material misstatement.

ENTITYS RISK ASSESSMENT PROCESS


Auditors should assess whether the entity has a process to identify the business risks relevant to financial reporting
objectives, estimate the significance of them, assess the likelihood of the risks occurrence, and decide actions to
address the risks. If auditors have identified such risks, then auditors should evaluate the reasons why the risk
assessment process failed to identify the risks, determine whether there is significant deficiency in internal controls in
identifying the risks, and discuss with the management.

THE INFORMATION SYSTEM, INCLUDING THE RELEVANT BUSINESS PROCESSES,


RELEVANT TO FINANCIAL REPORTING AND COMMUNICATION
Auditors should also obtain an understanding of the information system, including the related business processes,
relevant to financial reporting, including the following areas:

The classes of transactions in the entitys operations that are significant to the financial statements. The
procedures that transactions are initiated, recorded, processed, corrected as necessary, transferred to the
general ledger and reported in the financial statements.

How the information system captures events and conditions that are significant to the financial statements.

The financial reporting process used to prepare the entitys financial statements.

Controls surrounding journal entries.


Understand how the entity communicates financial reporting roles, responsibilities and significant matters to
those charged with governance and external regulatory authorities.

CONTROL ACTIVITIES RELEVANT TO THE AUDIT


Auditors should obtain a sufficient understanding of control activities relevant to the audit in order to assess the risks
of material misstatement at the assertion level, and to design further audit procedures to respond to those risks.
Control activities, such as proper authorisation of transactions and activities, performance reviews, information
processing, physical control over assets and records, and segregation of duties, are policies and procedures that
address the risks to achieve the management directives are carried out.

MONITORING OF CONTROLS
In addition, auditors should obtain an understanding of major types of activities that the entity uses to monitor internal
controls relevant to financial reporting and how the entity initiates corrective actions to its controls. For instance,
auditors should obtain an understanding of the sources and reliability of the information that the entity used in
monitoring the activities. Sources of information include internal auditor report, and report from regulators.

LIMITATIONS OF INTERNAL CONTROL SYSTEMS


Effective internal control systems can only provide reasonable, not absolute, assurance to achieve the entitys
financial reporting objective due to the inherent limitations of internal control for example, management override of
internal controls. Therefore, auditors should identify and assess the risks of material misstatement at the financial
statement level and assertion level for classes of transactions, account balances and disclosures.

CONCLUSION
As internal auditors have better understanding of the organisation and expertise in its risk and control, the proposed
requirement for the external auditors to make enquiries of internal audit function in ISA 315 (Revised) will enhance the
effectiveness and efficiency of audit engagements. External auditors should pay attention to the components of
internal control mentioned above in order to make effective and efficient enquiries. An increase in the work of internal
audit functions is also expected because of such proposed requirement.
Raymond Wong, School of Accountancy, The Chinese University of Hong Kong, and Dr Helen Wong, Hong
Kong Community College, Hong Kong Polytechnic University

Reference
ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity
and Its Environment